565 matches found
CVE-2026-55517
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response...
CVE-2026-49860
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially...
CVE-2026-49983
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot...
CVE-2026-49440
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrimecandidate, options, callback and crypto.checkPrimeSynccandidate, options ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied ...
CVE-2026-49402
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...
CVE-2026-49401
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done...
CVE-2026-49411
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A caller could therefore pass a numeric alias of an IP address fo...
CVE-2026-49406
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.12, when Deno was run in BYONM mode nodeModulesDir: "manual", the module resolver did not validate that a package's resolved entrypoint stayed within its nodemodules// directory. A malicious package.json whose main field...
CVE-2026-49859
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name...
CVE-2026-44726
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When autoSelectFamily was enabled and the first address-family attempt...
CVE-2026-55517
CVE-2026-55517 affects Deno prior to 2.7.5, where a client WebSocket handshake could crash the process if the server returned non-ASCII bytes in Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers. The root cause is parsing those headers as ASCII strings, triggering a panic when non-printa...
CVE-2026-55517 Deno: Denial of service via non-ASCII bytes in WebSocket response headers
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response...
CVE-2026-44726
CVE-2026-44726 affects Deno (2.0.0–2.7.8) via the Node.js tls compatibility layer. When autoSelectFamily is enabled and the first address-family attempt fails, the socket reinitialization path reuses a stale TLS upgrade hook tied to the original failed handle, causing the replacement TCP connecti...
CVE-2026-49401
CVE-2026-49401 describes a permission bypass in Deno on macOS APFS prior to v2.7.14. The denial checks for --deny-read/--deny-write/--deny-run/--deny-ffi were performed at the raw-byte level, but APFS considers different Unicode spellings of the same name as the same file. This allowed a process ...
CVE-2026-49401 Deno Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done...
CVE-2026-49402
Deno is affected by CVE-2026-49402 on Windows when using node:child_process with shell: true. The escapeShellArg() helper failed to properly quote arguments containing cmd.exe metacharacters (e.g., &, |, , ^, !, (, )), and did not neutralize % inside double-quoted strings. This allowed an attacke...
CVE-2026-49402 Deno: Command Injection via spawnSync & spawn on Windows
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...
CVE-2026-49406
The CVE describes a vulnerability in Deno when run in BYONM mode (nodeModulesDir: "manual"): the module resolver could bypass the read boundary by resolving a package.json main field containing .. segments, allowing a malicious package to read files outside the approved --allow-read scope via req...
CVE-2026-49411
Summary (technical, grounded): CVE-2026-49411 affects Deno’s Node.js compatibility TCP path. Prior to v2.8.0, permission checks for deny-net were performed on the original hostname string before DNS resolution and not re-checked after resolution. This allowed a numeric IP alias (for example 21307...
CVE-2026-49983
Summary of CVE-2026-49983 details (Deno): Deno’s process.loadEnvFile() incorrectly bypasses env permission checks. It only verifies read permission on the dotenv file and then writes all keys from the file into process.env, even if env access is denied. This means that with --allow-read and a wri...